I am trying to develop a new Transform that does one-to-many or many-to-many manipulation with the InspectionBuffer.
I would like to know if the following is possible and how:
ex: (dns.query; mytransform; dataset:isset)
I would like to have mytransform to be able to register many output InspectionBuffer from each input InspectionBuffer.And have the output tested on the dataset until a match happen or inspection buffer list is exhausted.
It seems a pure transform is only able to do one-to-one InspectionBuffer manipulation.
If anyone has any pointer on how to achieve this let me know.
Francois
P.S. Your help has been very valuable so far, I have been able to make big progress on previous efforts with the tips you have given me. Thanks!
Think this will be tricky. The multibuffer support is currently hardcoded into certain keywords, so we can’t just switch between them. Could make sense to unify it.
Thanks for your input. Long term we would want something like that one to many transform.
For now,. do you have an example or documentation for a suricata FunctionSetup for enabling MutlMatch InspectionBuffer from any buffer?
ex of signature:
dns.query or http.referer; myfunction dataset:isset
For myfunction, I want any input InspectionBuffer (from dns.query, http.host) to spawn a call to my module.
In the function execution I want to issue potentially multiple content inspection call with this:
const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
NULL, f,
(uint8_t *)buffer->inspect,
buffer->inspect_len,
buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
But to create the Intermediary InspectionBuffer (buffer->inspect) I need a DetectEngineTransforms *transforms.
I am not sure how to get it. (something like DetectAppLayerInspectEngineRegister2 with callback ?)
At the moment, I call my function from a new custom hard coded section in detect-engine-content-inspection.c::DetectEngineContentInspection.